Performance standards

3.6.1 Application of performance standards

The fire and gas detection and protection systems on an installation are generally categorised as safety critical systems, or ‘safety critical elements’ (SCEs) for the installation. In order to pass on the understanding of the design and operation of each system to those who operate and maintain the installation, the key features of the systems are recorded for all to see and understand in the form of ‘Performance Standards’.

The Performance standards for SCEs should contain precise information relating to the functionality, availability, reliability and survivability of the system in question

It is rare for platforms to have only one type of device within such systems. The ‘Fire and Gas Detection’ or the ‘Active Fire Protection’ SCEs for example will have many different aspects, parts or subsystems. While the ‘goal’ of the overall system will be the same, the Performance Standards for each part of the SCE will probably be different and needs to be specified separately within the documentation.

3.6.2 Functionality issues

As can be seen from Section 3.4, there are many different types of equipment available for the purposes of detecting fires and gas releases, and for protecting against fire. The principals of operation of the various sub-systems vary widely, as do the availability and reliability requirements of the equipment involved. It is important that the Performance Standard captures all the key information, not just part of it. In addition it should provide cross references to the various codes, standards, analyses and guidance documents which have a bearing on the performance.

Some examples of different functionalities within the same SCE Performance Standard are shown in Table 3-4 below:

Table 3-4 Typical safety critical element functionality descriptions

SCE Sub-item Functionality

Typical derivation/

supporting documents 1. Gas detection at inlets

to enclosed areas containing non-certified electrical equipment

Detect low-level gas at 10 % (alarm) and high-level at 25 % (ESD 1, close dampers, S/D fan). 3 IR Point detectors in each duct on 2oo3 voting

2. Gas detection in open hazardous areas

Detect 50 % LEL gas cloud of radius 5m or more using paired IR beam detection in process modules. Confirmed beam-pair in process modules. Executive action only on coincident gas detection (by beam detectors) in same area.

In-house Vendor Design Code for Acoustic Detection

SCE Sub-item Functionality separator and oil metering modules with at least 3 % AFFF to cool equipment in vicinity of oil pool fires and prevent consequent leakage from other inventories. Activated on confirmed Flame detection (2ooN) voting.

Water mist injection to generator rooms to provide suppression and cooling.

Activated on confirmed smoke or heat detection in generator room.

1.H120 firewalls Firewall at gridline 2, process area boundary, providing protection to TR and TEMPSC embarkation areas

Fire protection of gas space of First Stage Separator to protect against jet fire impingement from gas export system and potential BLEVE.

Note that a jet fire rating has been proposed in the latest draft version of the ISO (22899-1) on the jet fire test.

This is specified as:

Type of application / Critical temperature rise ( °C) / Type of fire / Period of

These are often given limited consideration in Performance Standards. It is important to understand the availability issues for any Performance Standard. A significant factor in generating a systems’ availability is obtaining an estimate of the level of unrevealed failure modes the system may be subject to.

Just as there are different functionalities there are differing availabilities associated with different methods or types of protection equipment. Availability is not the same as reliability. The availability is the fraction of time the equipment is available to perform its intended function. A passive coating for example is available 100 % of the time (assuming it has not been damaged or degraded in service). A passive fire protection enclosure or removable cladding on a vessel however may be removed for several weeks in the year to allow inspection of a valve or NDT of a significant part of a vessel. Similarly, automatic Fire and Gas detection systems might be keyed out, making them only partially available during maintenance or project related activities.

It is important that the person responsible for devising the Performance Standard also documents the assumptions made regarding availability, so that the design intent is correctly understood and upheld throughout the life cycle of the installation by the operations and maintenance personnel.

• Evacuation Systems -- Due to jet fire exposure potential, a standby vessel will be on close standby whenever the installation (normally unmanned) is manned. Manning will only be allowed within documented weather operating limits (2 m significant wave height) for Skyscape^© evacuation system.

3.6.4 Reliability issues

Reliability and availability are two technical terms that are often confused. Availability has been explained above. Reliability is the probability that the system or item of equipment will perform its intended function when required to do so. The reliability details for each system or subsystem listed within a performance standard should be clearly stared, with reference back to the reliability studies carried out during the design of the equipment. Changing the frequency of inspection and maintenance will have a direct bearing on its stated reliability. For this reason the maintenance or the inspection period used as key input to the frequency figure quoted must also be quoted in order for the reliability figure to be meaningful. As noted above for availability, it is important to obtain an estimate of the level of unrevealed failure modes the system may be subject to, preferably from gathered “own experience”.

It is also important to understand that reliability figures theoretically derived from calculations involving manufacturer’s data on ‘mean time to failure’ may be over optimistic. It is strongly advised that platform specific information is used in evaluating equipment and plant reliability. The manufacturer’s data may have been gained under laboratory conditions and produces times-to-failure information that may not be reproducible in the real offshore environment or otherwise represents an amalgam of accumulated data from a range of applications and maintenance regimes. For example, theoretical calculations for a pellistor gas detection head, using the manufacturer’s data may imply that an adequate reliability is achieved by a 6 monthly test and inspection frequency. In reality, if the detector is then placed in an air inlet duct, exposed to salt, spray, temperature and pressure cycling and vibration, the time to failure in actual service may be significantly shorter. Where un-revealed faults in safety equipment could occur, test/ maintenance history must be monitored. If every time the gas detector is tested it fails to operate there must be immediate feedback to the responsible engineer, that the high reliability indicated in the Performance Standard is not being achieved. The test frequency should then be adjusted (for example to a 3 monthly interval) until is can be demonstrated that an appropriate level of reliability is restored.

Voting arrangements for heat, smoke, flame or gas detectors also have a direct bearing on the proposed frequency of maintenance interventions. For example, a detection voting system that requires 1 detection element to be activated out of a total 2 (known as 1 out of 2 and indicated as 1oo2), has only one other item by way of redundancy plus a spurious indication from either item will cause unit or platform shutdown. It should be remembered that reliability requirements encompass unnecessary activation as well as failure to activate. The “built-in” redundancy is unavailable during maintenance of any one item. Industry good practice has converged on 2 out of 3 voting systems (2oo3) which offer a “good” compromise of high reliability of having 3 items available and still leaving a working arrangement in the event of a single item failure plus the demand rate for spurious indications is lower as a confirmed signal is always required. During maintenance this arrangement becomes a 2oo2 system. The voting arrangements should always be stated in the Performance Standards. Where reliance is placed on just one or two detectors to take executive action a review of the failure modes and the consequences of failure should always be undertaken and the consequences of maintenance changes need to be evaluated to ensure there are no knock-on effects to the platforms overall risk profile.

3.6.5 Survivability

The Performance Standard must state the survivability requirements for each SCE and each of its component parts where there are different requirements to those for the overall system. This makes it clear to all concerned exactly how long the item will need to continue to function in a major emergency in order to fulfil its safety role. For example one or more of the communications

systems and the place of temporary refuge (TR) will be required to function as long as there are any personnel left on the installation. This may be anything from 10 minutes on a small NUI to 2 hours on a large installation. Individual fire or gas detectors however may only need to survive for long enough to detect the release or fire and initiate the necessary alarms, shut-downs and blowdowns. This may be only a few seconds. Valve actuation systems may need around a minute.

Whatever the specified survivability, the information provided in the Performance Standard must be clear and unambiguous to the reader. Experience from major disasters both on and offshore indicates that failure to examine, understand and then communicate the survivability requirements of the provided safety systems to the right personnel has been a major contributor to the disaster.

3.6.6 Written schemes of examination (WSEs) or verification

The detailed schemes of examination or verification required under the PFEER and DCR regulations are intended to provide an independent check that:

• the initial design of the safety critical system/element is appropriate for the hazard;

• the SCEs have been procured; installed and commissioned to confirm that they achieve their required function;

• the maintenance being carried out is compatible with the reliability and availability specified in the Performance Standard;

• the maintenance activity takes into account the likely failure modes (especially un-revealed failures) of the components.

The written schemes must be thorough. Since they are derived from the Performance Standard documentation, any essential information omitted from these documents is in danger of being left out of either the maintenance scheme or the written schemes of the independent Competent Person, or both. This will lead to gaps in the platform safety management system. Such gaps may only come to light in the aftermath of a major incident.

The written scheme is required to be “live” through the platform’s lifetime and may be re-affirmed at any time.